On Sunday 16 March 2008 13:36, you wrote: > Hi Martin, > > On Sunday 16 March 2008 12:56, Martin Dougiamas wrote: > > Actually Moodle doesn't even use smarty (we were going to but we > > didn't) so this can be completely removed from the code base without > > any effect. I'll remove it upstream too. > > > > Is it still a security problem to have the script there if we don't use > > it? > > Thanks for your quick response. I see that it's commented out in setup.php, > however, the following file seems to include and use it: > question/format/qti2/format.php > > Could you comment on that?
I've checked this file out in detail, and it doesn't use the vulnerable function of this Smarty security bug. That means that there's no immediate security problem fortunately, but that still leaves the problem of removing the embedded smarty code before this package can be released. As only this one file uses it, either removing it from that file, or making that file use the archive copy of smarty are acceptable solutions to this bug. Thijs
pgpF48JT9JQDt.pgp
Description: PGP signature
